From 05f1ed756b325dab96eaf9f605b2c3ff32f56864 Mon Sep 17 00:00:00 2001 From: Tobias Wennergren Date: Tue, 7 Oct 2025 13:14:36 -0700 Subject: [PATCH] chore: pin GitHub Actions to SHA1 for supply chain security (#67019) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## What - Pin all GitHub Actions to their specific SHA1 hashes to reduce supply chain attack risk - Replaces version tags with specific commit SHAs - Includes version comments for easier reference - Changes generated with the pinact tool See internal wiki page on supply chain security for further info ## How Used the tool pinact to pin the sha for github actions. ## Review guide ## User Impact No impact ## Can this PR be safely reverted and rolled back? - [x] YES 💚 - [ ] NO ❌ --- .../connector-image-build-push/action.yml | 12 ++-- .../get-dagger-engine-image/action.yml | 4 +- .github/actions/install-airbyte-ci/action.yml | 10 +-- .../install-java-environment/action.yml | 4 +- .github/actions/run-airbyte-ci/action.yml | 8 +-- .../runner-prepare-for-build/action.yml | 6 +- .github/actions/start-aws-runner/action.yml | 4 +- .../approve-regression-tests-command.yml | 6 +- .github/workflows/auto_merge.yml | 6 +- .github/workflows/auto_merge_notification.yml | 4 +- .github/workflows/autodoc.yml | 2 +- .../build-connector-images-command.yml | 6 +- ...ulk-cdk-and-release-connectors-command.yml | 4 +- .../bump-bulk-cdk-version-command.yml | 12 ++-- .../bump-cdk-version-and-merge-command.yml | 8 +-- .github/workflows/bump-version-command.yml | 10 +-- .../cdk-connector-compatibility-test.yml | 16 ++--- .github/workflows/connector-ci-checks.yml | 46 ++++++------- .github/workflows/connector-image-build.yml | 16 ++--- .../connector-performance-command.yml | 22 +++---- .github/workflows/connectors_insights.yml | 10 +-- .github/workflows/connectors_up_to_date.yml | 6 +- .../docker-connector-base-image-tests.yml | 64 +++++++++---------- .../docker-connector-image-publishing.yml | 14 ++-- .github/workflows/docker-image-pruning.yml | 2 +- .github/workflows/docs-build.yml | 16 ++--- .github/workflows/finalize_rollout.yml | 4 +- .github/workflows/format-fix-command.yml | 16 ++--- .github/workflows/format_check.yml | 10 +-- .github/workflows/gradle-dependency-diff.yml | 6 +- .../workflows/internal-airbyte-ci-release.yml | 20 +++--- .../workflows/internal-airbyte-ci-tests.yml | 10 +-- .github/workflows/java-bulk-cdk-publish.yml | 16 ++--- .github/workflows/java-cdk-tests.yml | 20 +++--- .../workflows/jvm-connector-pr-structure.yml | 4 +- .../label-github-issues-by-context.yml | 2 +- .github/workflows/label-prs-by-context.yml | 2 +- .github/workflows/live_tests.yml | 4 +- ...ata_service_deploy_orchestrator_dagger.yml | 2 +- .github/workflows/poe-command.yml | 4 +- .../workflows/publish-java-cdk-command.yml | 22 +++---- .github/workflows/publish_connectors.yml | 10 +-- .github/workflows/regression_tests.yml | 6 +- .github/workflows/run-cat-tests-command.yml | 6 +- .../workflows/run-connector-tests-command.yml | 6 +- .github/workflows/slash-commands.yml | 6 +- .github/workflows/stale-community-issues.yaml | 4 +- .github/workflows/stale-routed-issues.yaml | 4 +- .../workflows/test-performance-command.yml | 26 ++++---- .../update-connector-cdk-version-command.yml | 16 ++--- .github/workflows/upload-metadata-files.yml | 8 +-- .github/workflows/welcome-message.yml | 6 +- 52 files changed, 279 insertions(+), 279 deletions(-) diff --git a/.github/actions/connector-image-build-push/action.yml b/.github/actions/connector-image-build-push/action.yml index ab2c93d7277..13f9e180b2b 100644 --- a/.github/actions/connector-image-build-push/action.yml +++ b/.github/actions/connector-image-build-push/action.yml @@ -75,7 +75,7 @@ runs: using: "composite" steps: - name: Install the latest version of uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install Poe and yq shell: bash @@ -301,18 +301,18 @@ runs: - name: Login to Docker Hub if: ${{ steps.check-exists.outputs.do-publish == 'true' && inputs.docker-hub-username != '' && inputs.docker-hub-password != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ inputs.docker-hub-username }} password: ${{ inputs.docker-hub-password }} - name: Set up Docker Buildx if: ${{ steps.check-exists.outputs.do-build == 'true' }} - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build connector image for testing if: ${{ steps.check-exists.outputs.do-build == 'true' }} - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: ${{ steps.vars.outputs.connector-dir }} file: docker-images/Dockerfile.${{ steps.vars.outputs.connector-type }}-connector @@ -334,7 +334,7 @@ runs: - name: Build and push connector image (multi-arch) if: ${{ steps.check-exists.outputs.do-build == 'true' }} - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: ${{ steps.vars.outputs.connector-dir }} file: docker-images/Dockerfile.${{ steps.vars.outputs.connector-type }}-connector @@ -347,7 +347,7 @@ runs: - name: Run Image Vulnerability Scan if: ${{ steps.check-exists.outputs.do-build == 'true' }} - uses: anchore/scan-action@v6 + uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 with: image: "${{ steps.vars.outputs.connector-image-name }}" output-format: "table" diff --git a/.github/actions/get-dagger-engine-image/action.yml b/.github/actions/get-dagger-engine-image/action.yml index 7f03269b4bc..349e58fe12d 100644 --- a/.github/actions/get-dagger-engine-image/action.yml +++ b/.github/actions/get-dagger-engine-image/action.yml @@ -20,7 +20,7 @@ runs: - name: Restore dagger engine image cache id: dagger-engine-image-cache-restore - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ inputs.path_to_dagger_engine_image_cache }} key: ${{ inputs.dagger_engine_image }} @@ -39,7 +39,7 @@ runs: - name: Save dagger engine image cache id: dagger-engine-image-cache-save if: steps.dagger-engine-image-cache-restore.outputs.cache-hit != 'true' - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ inputs.path_to_dagger_engine_image_cache }} key: ${{ inputs.dagger_engine_image }} diff --git a/.github/actions/install-airbyte-ci/action.yml b/.github/actions/install-airbyte-ci/action.yml index be5ddb8d3b1..0abae543bb5 100644 --- a/.github/actions/install-airbyte-ci/action.yml +++ b/.github/actions/install-airbyte-ci/action.yml @@ -18,7 +18,7 @@ runs: using: "composite" steps: - name: Get changed files - uses: tj-actions/changed-files@v44 + uses: tj-actions/changed-files@2d756ea4c53f7f6b397767d8723b3a10a9f35bf2 # v44.0.0 # When the PR is from a fork, we always install from binary, so we don't need to check for changes if: inputs.is_fork == 'false' id: changes @@ -57,7 +57,7 @@ runs: - name: Install Python 3.11 id: install-python-3-11 - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 if: steps.determine-install-mode.outputs.install-mode == 'source' with: python-version: "3.11" @@ -68,7 +68,7 @@ runs: - name: Install the latest version of uv if: steps.determine-install-mode.outputs.install-mode == 'source' - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install Airbyte CI from source id: install-airbyte-ci-source if: steps.determine-install-mode.outputs.install-mode == 'source' @@ -78,7 +78,7 @@ runs: - name: Upload uv logs as artifacts on failure if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: uv-logs path: /opt/uv/logs/ @@ -86,7 +86,7 @@ runs: - name: Upload pipx logs as artifacts on failure # E.g. /opt/pipx/logs/cmd_2025-05-01_16.46.50_1_pip_errors.log if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: pipx-logs path: /opt/pipx/logs/ diff --git a/.github/actions/install-java-environment/action.yml b/.github/actions/install-java-environment/action.yml index 8e4148df046..63fdcde6a07 100644 --- a/.github/actions/install-java-environment/action.yml +++ b/.github/actions/install-java-environment/action.yml @@ -19,11 +19,11 @@ inputs: runs: using: "composite" steps: - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: corretto java-version: ${{ inputs.java_version }} - - uses: gradle/actions/setup-gradle@v3 + - uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0 with: cache-read-only: ${{ inputs.gradle_cache_read_only }} cache-write-only: ${{ inputs.gradle_cache_write_only }} diff --git a/.github/actions/run-airbyte-ci/action.yml b/.github/actions/run-airbyte-ci/action.yml index 8fc7fb5f51d..60212620535 100644 --- a/.github/actions/run-airbyte-ci/action.yml +++ b/.github/actions/run-airbyte-ci/action.yml @@ -120,7 +120,7 @@ runs: uses: ./.github/actions/install-java-environment - name: Docker login id: docker-login - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 if: ${{ inputs.docker_hub_username != '' && inputs.docker_hub_password != '' }} with: username: ${{ inputs.docker_hub_username }} @@ -133,7 +133,7 @@ runs: is_fork: ${{ inputs.is_fork }} - name: Run airbyte-ci id: run-airbyte-ci - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: CI: "True" CI_GIT_USER: ${{ github.repository_owner }} @@ -190,7 +190,7 @@ runs: - name: Collect dagger engine logs id: collect-dagger-engine-logs if: always() - uses: jwalton/gh-docker-logs@v2 + uses: jwalton/gh-docker-logs@2741064ab9d7af54b0b1ffb6076cf64c16f0220e # v2.2.2 with: dest: "./dagger_engine_logs" images: "registry.dagger.io/engine" @@ -210,7 +210,7 @@ runs: - name: Upload logs to GitHub id: upload-dagger-engine-logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ github.job }}_${{ steps.hash-subcommand.outputs.subcommand_hash }}_dagger_engine_logs.tgz path: ./dagger_engine_logs.tgz diff --git a/.github/actions/runner-prepare-for-build/action.yml b/.github/actions/runner-prepare-for-build/action.yml index 15c85386aa8..fec6da87569 100644 --- a/.github/actions/runner-prepare-for-build/action.yml +++ b/.github/actions/runner-prepare-for-build/action.yml @@ -17,18 +17,18 @@ runs: using: "composite" steps: - if: inputs.install_java == 'true' - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: "zulu" java-version: "21" - if: inputs.install_node == 'true' - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: "lts/*" - if: inputs.install_python == 'true' - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.9" diff --git a/.github/actions/start-aws-runner/action.yml b/.github/actions/start-aws-runner/action.yml index 0137c086718..a5adc93da98 100644 --- a/.github/actions/start-aws-runner/action.yml +++ b/.github/actions/start-aws-runner/action.yml @@ -35,7 +35,7 @@ runs: using: "composite" steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: aws-access-key-id: ${{ inputs.aws-access-key-id }} aws-secret-access-key: ${{ inputs.aws-secret-access-key }} @@ -54,7 +54,7 @@ runs: - name: Start EC2 runner id: start-ec2-runner - uses: airbytehq/ec2-github-runner@MSGv0.0.5 + uses: airbytehq/ec2-github-runner@b671ff1f194623671b398d973a8965348391831d # MSGv0.0.5 with: mode: start github-token: ${{ inputs.github-token }} diff --git a/.github/workflows/approve-regression-tests-command.yml b/.github/workflows/approve-regression-tests-command.yml index e2d0521c3b8..ae6640a6a54 100644 --- a/.github/workflows/approve-regression-tests-command.yml +++ b/.github/workflows/approve-regression-tests-command.yml @@ -52,7 +52,7 @@ jobs: # If comment-id is not provided, this will create a new # comment with the job run link. id: first-comment-action - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.pr }} @@ -107,7 +107,7 @@ jobs: fi - name: Append success comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: success() with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} @@ -116,7 +116,7 @@ jobs: > ✅ Approving regression tests - name: Append failure comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: failure() with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} diff --git a/.github/workflows/auto_merge.yml b/.github/workflows/auto_merge.yml index 1a37e9367d5..9a7c1d2138f 100644 --- a/.github/workflows/auto_merge.yml +++ b/.github/workflows/auto_merge.yml @@ -11,15 +11,15 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" check-latest: true update-environment: true - name: Install and configure Poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: 1.8.5 - name: Run auto merge diff --git a/.github/workflows/auto_merge_notification.yml b/.github/workflows/auto_merge_notification.yml index 54031095360..2a63dcf6640 100644 --- a/.github/workflows/auto_merge_notification.yml +++ b/.github/workflows/auto_merge_notification.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Add Auto-Merge Notice if: github.event.action == 'auto_merge_enabled' - uses: bcgov/action-pr-description-add@v2.0.0 + uses: bcgov/action-pr-description-add@14338bfe0278ead273b3c1189e5aa286ff6709c4 # v2.0.0 with: add_markdown: | > [!IMPORTANT] @@ -24,7 +24,7 @@ jobs: - name: Remove Auto-Merge Notice if: github.event.action == 'auto_merge_disabled' - uses: bcgov/action-pr-description-add@v2.0.0 + uses: bcgov/action-pr-description-add@14338bfe0278ead273b3c1189e5aa286ff6709c4 # v2.0.0 with: add_markdown: | > [!NOTE] diff --git a/.github/workflows/autodoc.yml b/.github/workflows/autodoc.yml index 02696d238df..e875f26e23d 100644 --- a/.github/workflows/autodoc.yml +++ b/.github/workflows/autodoc.yml @@ -28,7 +28,7 @@ jobs: steps: # Step 1: Get the pushed code - name: Checkout pushed code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 # Full history needed for comprehensive analysis diff --git a/.github/workflows/build-connector-images-command.yml b/.github/workflows/build-connector-images-command.yml index b9261f4f407..7519d9516bb 100644 --- a/.github/workflows/build-connector-images-command.yml +++ b/.github/workflows/build-connector-images-command.yml @@ -43,7 +43,7 @@ jobs: - name: Append start comment id: append-start-comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: success() with: comment-id: ${{ inputs.comment-id }} @@ -58,7 +58,7 @@ jobs: > [Check job output.](${{ steps.job-vars.outputs.run-url }}) - name: Repo Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: repository: ${{ inputs.repo || github.repository }} ref: ${{ inputs.gitref || '' }} @@ -98,7 +98,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Append end comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ needs.init-workflow.outputs.comment-id }} issue-number: ${{ needs.init-workflow.outputs.pr-number }} diff --git a/.github/workflows/bump-bulk-cdk-and-release-connectors-command.yml b/.github/workflows/bump-bulk-cdk-and-release-connectors-command.yml index 00fae7030a6..bf276e0af30 100644 --- a/.github/workflows/bump-bulk-cdk-and-release-connectors-command.yml +++ b/.github/workflows/bump-bulk-cdk-and-release-connectors-command.yml @@ -22,7 +22,7 @@ jobs: needs: [publish-bulk-cdk] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: # Fetch all history for all tags and branches fetch-depth: 0 @@ -72,7 +72,7 @@ jobs: needs: [publish-connectors, bump-cdk-version] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: # Fetch all history for all tags and branches fetch-depth: 0 diff --git a/.github/workflows/bump-bulk-cdk-version-command.yml b/.github/workflows/bump-bulk-cdk-version-command.yml index 95e074cfc14..b654db729bd 100644 --- a/.github/workflows/bump-bulk-cdk-version-command.yml +++ b/.github/workflows/bump-bulk-cdk-version-command.yml @@ -40,7 +40,7 @@ jobs: - name: Append comment with job run link id: first-comment-action - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.pr }} @@ -48,16 +48,16 @@ jobs: > Update bulk CDK version job started. Check the [job logs](${{ steps.resolve-job-vars.outputs.run-url }}) for details. - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: "zulu" java-version: "21" - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4 - name: Run CDK version bump run: ./gradlew :airbyte-cdk:bulk:bumpVersion --${{ github.event.inputs.bump }} --changelog "${{ github.event.inputs.changelog }}" @@ -71,7 +71,7 @@ jobs: git push - name: Append success comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} reactions: hooray @@ -79,7 +79,7 @@ jobs: > ✅ Successfully bumped CDK version. - name: Append failure comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: failure() with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} diff --git a/.github/workflows/bump-cdk-version-and-merge-command.yml b/.github/workflows/bump-cdk-version-and-merge-command.yml index a1ead917b6d..0575b85e329 100644 --- a/.github/workflows/bump-cdk-version-and-merge-command.yml +++ b/.github/workflows/bump-cdk-version-and-merge-command.yml @@ -22,7 +22,7 @@ jobs: modified_connectors: ${{ steps.export-connection-modified.outputs.modified_connectors }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: # Fetch all history for all tags and branches fetch-depth: 0 @@ -147,21 +147,21 @@ jobs: needs: [publish-connectors] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Configure Git run: | git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" - name: Install Python id: install_python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" check-latest: true update-environment: true - name: Install Poetry id: install_poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: 1.8.5 - name: Merge the changelog of the connectors diff --git a/.github/workflows/bump-version-command.yml b/.github/workflows/bump-version-command.yml index c82dab71545..96febd98959 100644 --- a/.github/workflows/bump-version-command.yml +++ b/.github/workflows/bump-version-command.yml @@ -60,7 +60,7 @@ jobs: # forks if the user installs the app into their fork. Until we document this as a clear # path, we will have to keep using the PAT. - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: repository: ${{ steps.job-vars.outputs.repo }} ref: ${{ steps.job-vars.outputs.branch }} @@ -73,7 +73,7 @@ jobs: # If comment-id is not provided, this will create a new # comment with the job run link. id: first-comment-action - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.pr }} @@ -135,7 +135,7 @@ jobs: git push contributor HEAD:'${{ steps.job-vars.outputs.branch }}' - name: Append success comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: steps.git-diff.outputs.changes == 'true' with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} @@ -144,7 +144,7 @@ jobs: > ✅ Changes applied successfully. (${{ steps.commit-step.outputs.sha }}) - name: Append success comment (no-op) - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: steps.git-diff.outputs.changes != 'true' with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} @@ -153,7 +153,7 @@ jobs: > 🔴 Job completed successfully (no changes, this is sus). - name: Append failure comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: failure() with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} diff --git a/.github/workflows/cdk-connector-compatibility-test.yml b/.github/workflows/cdk-connector-compatibility-test.yml index 5064f9f7b2e..b6c786b12c5 100644 --- a/.github/workflows/cdk-connector-compatibility-test.yml +++ b/.github/workflows/cdk-connector-compatibility-test.yml @@ -14,19 +14,19 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: submodules: true # Needed for airbyte-enterprise connectors (no-op otherwise) fetch-depth: 0 - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: "zulu" java-version: "21" - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4 with: gradle-version: "8.14" @@ -57,12 +57,12 @@ jobs: - name: Checkout Airbyte if: matrix.connector id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: submodules: true # Needed for airbyte-enterprise connectors (no-op otherwise) # Java deps - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 if: matrix.connector with: distribution: zulu @@ -71,14 +71,14 @@ jobs: # The default behaviour is read-only on PR branches and read/write on master. # See https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#using-the-cache-read-only. - - uses: gradle/actions/setup-gradle@v4 + - uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4 if: matrix.connector with: gradle-version: "8.14" - name: Install the latest version of uv if: matrix.connector - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install Poe if: matrix.connector @@ -116,7 +116,7 @@ jobs: - name: Slack Notification on Failure if: github.event_name == 'schedule' && failure() && (steps.run-unit-tests.outcome == 'failure' || steps.run-integration-tests.outcome == 'failure') - uses: slackapi/slack-github-action@v2.1.1 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: token: ${{ secrets.SLACK_BOT_TOKEN_AIRBYTE_TEAM }} method: chat.postMessage diff --git a/.github/workflows/connector-ci-checks.yml b/.github/workflows/connector-ci-checks.yml index 39c7347668a..ac9dce479bf 100644 --- a/.github/workflows/connector-ci-checks.yml +++ b/.github/workflows/connector-ci-checks.yml @@ -50,7 +50,7 @@ jobs: steps: - name: Checkout Current Branch id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: repository: ${{ inputs.repo || github.event.pull_request.head.repo.full_name }} ref: ${{ inputs.gitref || github.head_ref || github.ref_name }} @@ -78,7 +78,7 @@ jobs: git fetch --quiet upstream master - id: cdk-changes - uses: dorny/paths-filter@v2 + uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 with: # Note: expressions within a filter are OR'ed filters: | @@ -138,7 +138,7 @@ jobs: - name: Checkout Airbyte if: matrix.connector id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: repository: ${{ inputs.repo || github.event.pull_request.head.repo.full_name }} ref: ${{ inputs.gitref || github.head_ref || github.ref_name }} @@ -146,7 +146,7 @@ jobs: fetch-depth: 1 # Java deps - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 if: matrix.connector with: distribution: zulu @@ -155,7 +155,7 @@ jobs: # The default behaviour is read-only on PR branches and read/write on master. # See https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#using-the-cache-read-only. - - uses: gradle/actions/setup-gradle@v4 + - uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4 if: matrix.connector with: gradle-version: "8.14" @@ -163,7 +163,7 @@ jobs: # TODO: We can delete this step once Airbyte-CI is removed from Java integration tests. - name: Set up Python (For Airbyte-CI) if: matrix.connector - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" check-latest: true @@ -171,7 +171,7 @@ jobs: - name: Install the latest version of uv if: matrix.connector - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install Poe if: matrix.connector @@ -203,7 +203,7 @@ jobs: run: poe test-integration-tests - name: Publish Test Results - uses: EnricoMi/publish-unit-test-result-action@v2 + uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2.20.0 # Skip if cancelled, if no connector is specified, or if running from a fork. if: always() && !cancelled() && matrix.connector && github.repository == 'airbytehq/airbyte' with: @@ -229,7 +229,7 @@ jobs: - name: Checkout Airbyte if: matrix.connector id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: repository: ${{ inputs.repo || github.event.pull_request.head.repo.full_name }} ref: ${{ inputs.gitref || github.head_ref || github.ref_name }} @@ -239,7 +239,7 @@ jobs: # Python deps - name: Set up Python if: matrix.connector - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" check-latest: true @@ -247,13 +247,13 @@ jobs: - name: Install and configure Poetry if: matrix.connector - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: 1.8.5 - name: Install the latest version of uv if: matrix.connector - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install system dependencies if: matrix.connector @@ -307,7 +307,7 @@ jobs: airbyte-cdk image test - name: Publish Test Results - uses: EnricoMi/publish-unit-test-result-action@v2 + uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2.20.0 # Skip if cancelled, if no connector is specified, or if the repository is a fork. if: always() && !cancelled() && matrix.connector && github.repository == 'airbytehq/airbyte' with: @@ -330,7 +330,7 @@ jobs: steps: - name: Checkout Airbyte if: matrix.connector - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: repository: ${{ inputs.repo || github.event.pull_request.head.repo.full_name }} ref: ${{ inputs.gitref || github.head_ref || github.ref_name }} @@ -338,14 +338,14 @@ jobs: fetch-depth: 1 # Java deps - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 if: matrix.connector with: distribution: zulu java-version: 21 cache: gradle - - uses: gradle/actions/setup-gradle@v4 + - uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4 if: matrix.connector with: cache-read-only: false @@ -355,20 +355,20 @@ jobs: # Python deps - name: Set up Python if: matrix.connector - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" check-latest: true update-environment: true - name: Install and configure Poetry if: matrix.connector - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: 1.8.5 - name: Install the latest version of uv if: matrix.connector - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install system dependencies if: matrix.connector @@ -421,7 +421,7 @@ jobs: steps: - name: Checkout Airbyte if: matrix.connector - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: repository: ${{ inputs.repo || github.event.pull_request.head.repo.full_name }} ref: ${{ inputs.gitref || github.head_ref || github.ref_name }} @@ -429,7 +429,7 @@ jobs: fetch-depth: 0 - name: Install uv if: matrix.connector - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install Poe if: matrix.connector @@ -489,7 +489,7 @@ jobs: # be available, so the following steps will be a no-op. - name: Authenticate as GitHub App - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 id: get-app-token if: always() && !cancelled() continue-on-error: true @@ -501,7 +501,7 @@ jobs: if: > always() && !cancelled() && steps.get-app-token.outcome == 'success' - uses: LouisBrunner/checks-action@v2.0.0 + uses: LouisBrunner/checks-action@6b626ffbad7cc56fd58627f774b9067e6118af23 # v2.0.0 with: name: "Connector CI Checks Summary" # << Name of the 'Required' check sha: ${{ needs.generate-matrix.outputs.commit-sha }} diff --git a/.github/workflows/connector-image-build.yml b/.github/workflows/connector-image-build.yml index cc4ba99e3e2..5c6b613d18d 100644 --- a/.github/workflows/connector-image-build.yml +++ b/.github/workflows/connector-image-build.yml @@ -42,14 +42,14 @@ jobs: url: https://ghcr.io/airbytehq/${{ inputs.connector }} steps: - name: Checkout Current Branch - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: repository: ${{ inputs.repo || github.event.pull_request.head.repo.full_name }} ref: ${{ inputs.gitref || github.head_ref }} fetch-depth: 1 - name: Install the latest version of uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install Poe run: | @@ -74,14 +74,14 @@ jobs: echo "image-build-num-tag=${IMAGE_PR_NUM_TAG}-build${{ github.run_number }}" | tee -a $GITHUB_OUTPUT # Java deps - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 if: ${{ steps.vars.outputs.connector-language == 'java' }} with: distribution: zulu java-version: 21 cache: gradle - - uses: gradle/actions/setup-gradle@v4 + - uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4 if: ${{ steps.vars.outputs.connector-language == 'java' }} with: cache-read-only: false @@ -95,18 +95,18 @@ jobs: ./gradlew :airbyte-integrations:connectors:${{ inputs.connector }}:distTar - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build Connector Image id: build-connector-image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: airbyte-integrations/connectors/${{ inputs.connector }} file: docker-images/Dockerfile.${{ steps.vars.outputs.connector-language }}-connector @@ -127,7 +127,7 @@ jobs: spec - name: Run ${{ inputs.connector }} Image Vulnerability Scan - uses: anchore/scan-action@v6 + uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 with: image: "${{ steps.vars.outputs.image-build-num-tag }}" output-format: "table" diff --git a/.github/workflows/connector-performance-command.yml b/.github/workflows/connector-performance-command.yml index 7e033d5da0f..20e8b691883 100644 --- a/.github/workflows/connector-performance-command.yml +++ b/.github/workflows/connector-performance-command.yml @@ -106,7 +106,7 @@ jobs: ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} steps: - name: Checkout Airbyte - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: ${{ inputs.repo }} ref: ${{ inputs.gitref }} @@ -129,7 +129,7 @@ jobs: steps: - name: Link comment to workflow run if: inputs.comment-id - uses: peter-evans/create-or-update-comment@v1 + uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5 with: comment-id: ${{ inputs.comment-id }} body: | @@ -140,7 +140,7 @@ jobs: > :runner: ${{inputs.connector}} https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}. - name: Search for valid connector name format id: regex - uses: AsasInnab/regex-action@v1 + uses: AsasInnab/regex-action@93439ac11aa6a032a673c8711231d8cef044daaa # v1 with: regex_pattern: "^(connectors/)?[a-zA-Z0-9-_]+$" regex_flags: "i" # required to be set for this plugin @@ -155,18 +155,18 @@ jobs: inputs.connector != 'connectors/source-mongodb-v2' }}" run: echo "Only connectors/source-postgres, source-mysql, source-mongodb-v2 and destination-snowflake currently supported by harness" && exit 1 - name: Checkout Airbyte - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: ${{ inputs.repo }} ref: ${{ inputs.gitref }} fetch-depth: 0 # This is to fetch the main branch in case we are running on a different branch. - name: Install Java - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: "zulu" java-version: "21" - name: Install Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.11" check-latest: true @@ -210,7 +210,7 @@ jobs: env: GCP_GSM_CREDENTIALS: ${{ secrets.GCP_GSM_CREDENTIALS }} - name: KIND Kubernetes Cluster Setup - uses: helm/kind-action@v1.4.0 + uses: helm/kind-action@9e8295d178de23cbfbd8fa16cf844eec1d773a07 # v1.4.0 with: config: "./tools/bin/${{ steps.which-harness.outputs.harness_type }}-kind-cluster-config.yaml" - name: Run harness @@ -246,7 +246,7 @@ jobs: echo "$EOF" >> $GITHUB_OUTPUT - name: Link comment to workflow run if: inputs.comment-id - uses: peter-evans/create-or-update-comment@v2 + uses: peter-evans/create-or-update-comment@67dcc547d311b736a8e6c5c236542148a47adc3d # v2.1.1 with: reactions: "+1" comment-id: ${{ inputs.comment-id }} @@ -268,20 +268,20 @@ jobs: if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: aws-access-key-id: ${{ secrets.SELF_RUNNER_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.SELF_RUNNER_AWS_SECRET_ACCESS_KEY }} aws-region: us-east-2 - name: Checkout Airbyte - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Check PAT rate limits run: | ./tools/bin/find_non_rate_limited_PAT \ ${{ secrets.GH_PAT_BUILD_RUNNER_OSS }} \ ${{ secrets.GH_PAT_BUILD_RUNNER_BACKUP }} - name: Stop EC2 runner - uses: supertopher/ec2-github-runner@base64v1.0.10 + uses: supertopher/ec2-github-runner@0a62b16b7a86a45725a1755884f8cee7a5068ad8 #base64v1.0.10 with: mode: stop github-token: ${{ env.PAT }} diff --git a/.github/workflows/connectors_insights.yml b/.github/workflows/connectors_insights.yml index 475b757304a..2be10c889b1 100644 --- a/.github/workflows/connectors_insights.yml +++ b/.github/workflows/connectors_insights.yml @@ -14,9 +14,9 @@ jobs: timeout-minutes: 1440 # 24 hours steps: - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Docker login - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} @@ -25,11 +25,11 @@ jobs: with: dagger_engine_image: "registry.dagger.io/engine:v0.9.6" - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" - name: Install Poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: 1.8.5 virtualenvs-create: true @@ -37,7 +37,7 @@ jobs: installer-parallel: true - name: Load cached venv id: cached-poetry-dependencies - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: .venv key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} diff --git a/.github/workflows/connectors_up_to_date.yml b/.github/workflows/connectors_up_to_date.yml index 5b6dc51bc81..2bcc7b420da 100644 --- a/.github/workflows/connectors_up_to_date.yml +++ b/.github/workflows/connectors_up_to_date.yml @@ -20,7 +20,7 @@ jobs: generated_matrix: ${{ steps.generate_matrix.outputs.generated_matrix }} steps: - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Run airbyte-ci connectors list [SCHEDULED TRIGGER] if: github.event_name == 'schedule' id: airbyte-ci-connectors-list-scheduled @@ -56,9 +56,9 @@ jobs: pull-requests: write steps: - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Authenticate as 'octavia-bot-hoard' GitHub App - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 id: get-app-token with: owner: "airbytehq" diff --git a/.github/workflows/docker-connector-base-image-tests.yml b/.github/workflows/docker-connector-base-image-tests.yml index 8173d071bfd..e41739707b4 100644 --- a/.github/workflows/docker-connector-base-image-tests.yml +++ b/.github/workflows/docker-connector-base-image-tests.yml @@ -27,10 +27,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - id: changes - uses: dorny/paths-filter@v3.0.2 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 with: filters: | java-images: @@ -57,23 +57,23 @@ jobs: if: needs.detect-changes.outputs.java-images == 'true' steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 1 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build Java Base Image id: docker-build-java-base - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . file: docker-images/Dockerfile.java-connector-base @@ -84,7 +84,7 @@ jobs: ghcr.io/airbytehq/java-connector-base:draft-pr-${{ github.event.pull_request.number }}-build${{ github.run_number }} - name: Run Java Base Image Vulnerability Scan - uses: anchore/scan-action@v6 + uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 with: image: "ghcr.io/airbytehq/java-connector-base:draft-pr-${{ github.event.pull_request.number }}-build${{ github.run_number }}" output-format: "table" @@ -104,23 +104,23 @@ jobs: if: needs.detect-changes.outputs.python-images == 'true' steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 1 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build Python Base Image id: docker-build-python-base - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . file: docker-images/Dockerfile.python-connector-base @@ -131,7 +131,7 @@ jobs: ghcr.io/airbytehq/python-connector-base:draft-pr-${{ github.event.pull_request.number }}-build${{ github.run_number }} - name: Run Python Base Image Vulnerability Scan - uses: anchore/scan-action@v6 + uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 with: image: "ghcr.io/airbytehq/python-connector-base:draft-pr-${{ github.event.pull_request.number }}-build${{ github.run_number }}" output-format: "table" @@ -158,19 +158,19 @@ jobs: url: https://ghcr.io/airbytehq/${{ matrix.connector }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 1 # Java deps - name: Set up Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: zulu java-version: 21 cache: gradle - - uses: gradle/actions/setup-gradle@v4 + - uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4 with: cache-read-only: false cache-write-only: false @@ -182,14 +182,14 @@ jobs: ./gradlew :airbyte-integrations:connectors:${{ matrix.connector }}:distTar - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Debug BUILD_ARGS run: | @@ -198,7 +198,7 @@ jobs: - name: Build ${{ matrix.connector }} Image id: docker-build-java-connector - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: airbyte-integrations/connectors/${{ matrix.connector }} file: docker-images/Dockerfile.java-connector @@ -219,7 +219,7 @@ jobs: spec - name: Setup uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 - name: Install CDK CLI run: | @@ -237,7 +237,7 @@ jobs: airbyte-cdk image test --image=ghcr.io/airbytehq/${{ matrix.connector }}:draft-pr-${{ github.event.pull_request.number }}-build${{ github.run_number }} - name: Run ${{ matrix.connector }} Image Vulnerability Scan - uses: anchore/scan-action@v6 + uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 with: image: "ghcr.io/airbytehq/${{ matrix.connector }}:draft-pr-${{ github.event.pull_request.number }}-build${{ github.run_number }}" output-format: "table" @@ -263,17 +263,17 @@ jobs: url: https://ghcr.io/airbytehq/${{ matrix.connector }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Debug BUILD_ARGS run: | @@ -282,7 +282,7 @@ jobs: - name: Build ${{ matrix.connector }} Image id: docker-build-python-connector - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: airbyte-integrations/connectors/${{ matrix.connector }} file: docker-images/Dockerfile.python-connector @@ -303,7 +303,7 @@ jobs: spec - name: Setup uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 - name: Install CDK CLI run: | @@ -321,7 +321,7 @@ jobs: airbyte-cdk image test --image=ghcr.io/airbytehq/${{ matrix.connector }}:draft-pr-${{ github.event.pull_request.number }}-build${{ github.run_number }} - name: Run ${{ matrix.connector }} Image Vulnerability Scan - uses: anchore/scan-action@v6 + uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 with: image: "ghcr.io/airbytehq/${{ matrix.connector }}:draft-pr-${{ github.event.pull_request.number }}-build${{ github.run_number }}" output-format: "table" @@ -343,19 +343,19 @@ jobs: url: https://ghcr.io/airbytehq/${{ matrix.connector }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 1 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Debug BUILD_ARGS run: | @@ -363,7 +363,7 @@ jobs: echo "CONNECTOR_NAME=${{ matrix.connector }}" - name: Build ${{ matrix.connector }} Image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: airbyte-integrations/connectors/${{ matrix.connector }} file: docker-images/Dockerfile.manifest-only-connector @@ -384,7 +384,7 @@ jobs: spec - name: Setup uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 - name: Install CDK CLI run: | @@ -402,7 +402,7 @@ jobs: airbyte-cdk image test --image=ghcr.io/airbytehq/${{ matrix.connector }}:draft-pr-${{ github.event.pull_request.number }}-build${{ github.run_number }} - name: Run ${{ matrix.connector }} Image Vulnerability Scan - uses: anchore/scan-action@v6 + uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 with: image: "ghcr.io/airbytehq/${{ matrix.connector }}:draft-pr-${{ github.event.pull_request.number }}-build${{ github.run_number }}" output-format: "table" diff --git a/.github/workflows/docker-connector-image-publishing.yml b/.github/workflows/docker-connector-image-publishing.yml index 0832752c3f2..302074940d8 100644 --- a/.github/workflows/docker-connector-image-publishing.yml +++ b/.github/workflows/docker-connector-image-publishing.yml @@ -50,19 +50,19 @@ jobs: url: https://${{ github.event.inputs.repository-root == 'docker.io/airbyte' && 'hub.docker.com/r/airbyte' || github.event.inputs.repository-root }}/${{ github.event.inputs.connector-type }}-connector-base steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 1 - name: Log in to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 if: ${{ github.event.inputs.repository-root == 'docker.io/airbyte' }} with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 if: ${{ github.event.inputs.repository-root == 'ghcr.io/airbytehq' }} with: registry: ghcr.io/airbytehq @@ -70,7 +70,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Set and debug variables id: vars @@ -87,7 +87,7 @@ jobs: - name: Build Base Image id: docker-build-base - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: file: ${{ steps.vars.outputs.DOCKERFILE }} platforms: linux/amd64,linux/arm64 @@ -95,7 +95,7 @@ jobs: push: false - name: Run Vulnerability Scan - uses: anchore/scan-action@v6 + uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 with: image: "${{ steps.vars.outputs.FULL_IMAGE_REF }}" output-format: "table" @@ -108,7 +108,7 @@ jobs: # https://docs.docker.com/build/ci/github-actions/test-before-push/ id: docker-image-publish if: ${{ github.event.inputs.dry-run == 'false' }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64,linux/arm64 file: ${{ steps.vars.outputs.DOCKERFILE }} diff --git a/.github/workflows/docker-image-pruning.yml b/.github/workflows/docker-image-pruning.yml index a03c78e7718..fe0b8cf01f2 100644 --- a/.github/workflows/docker-image-pruning.yml +++ b/.github/workflows/docker-image-pruning.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Prune temporary GHCR images - uses: snok/container-retention-policy@v3.0.0 + uses: snok/container-retention-policy@4f22ef80902ad409ed55a99dc5133cc1250a0d03 # v3.0.0 with: account: airbytehq token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index 829086d8af1..e37d218fce2 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -15,7 +15,7 @@ jobs: # The detection method uses the GitHub REST API. - name: Detect Changes id: detect-changes - uses: dorny/paths-filter@v3.0.2 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 with: filters: | docs: @@ -34,7 +34,7 @@ jobs: if: needs.detect-changes.outputs.changed == 'true' steps: - name: Checkout Current Branch - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -61,13 +61,13 @@ jobs: - name: Set Up pnpm if: steps.check-skip.outputs.skip-build != 'true' # pnpm is used to manage the dependencies of the documentation build. - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 with: version: 10.12.1 - name: Install uv if: steps.check-skip.outputs.skip-build != 'true' - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install Poe if: steps.check-skip.outputs.skip-build != 'true' @@ -95,13 +95,13 @@ jobs: steps: - name: Checkout Current Branch - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - name: Deploy to Vercel id: deploy-vercel - uses: amondnet/vercel-action@v41.1.4 + uses: amondnet/vercel-action@888da851026e0573da056b061931bcb765a915c4 # v41.1.4 with: github-token: ${{ secrets.GITHUB_TOKEN }} vercel-token: ${{ secrets.VERCEL_TOKEN }} @@ -110,7 +110,7 @@ jobs: vercel-args: --archive=tgz - name: Authenticate as GitHub App - uses: actions/create-github-app-token@v2.0.6 + uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 id: get-app-token with: owner: "airbytehq" @@ -120,7 +120,7 @@ jobs: # If successful, post a check status with the Preview URL as its "details" link - name: Post Custom Check with Preview URL (${{ steps.deploy-vercel.outputs.preview-url }}) - uses: LouisBrunner/checks-action@v2.0.0 + uses: LouisBrunner/checks-action@6b626ffbad7cc56fd58627f774b9067e6118af23 # v2.0.0 with: name: "Vercel Preview Deployed" # << Name of the check status: completed diff --git a/.github/workflows/finalize_rollout.yml b/.github/workflows/finalize_rollout.yml index 3fd9169e810..cbe2067ddd9 100644 --- a/.github/workflows/finalize_rollout.yml +++ b/.github/workflows/finalize_rollout.yml @@ -27,12 +27,12 @@ jobs: fi shell: bash - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 # Authenticate as the GitHub App to ensure CI can run. This is necessary because # commits created with the built-in GitHub token will not trigger workflows. - name: Authenticate as GitHub App - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 id: get-app-token with: owner: "airbytehq" diff --git a/.github/workflows/format-fix-command.yml b/.github/workflows/format-fix-command.yml index ba6605a25f8..e14907a1731 100644 --- a/.github/workflows/format-fix-command.yml +++ b/.github/workflows/format-fix-command.yml @@ -48,7 +48,7 @@ jobs: # forks if the user installs the app into their fork. Until we document this as a clear # path, we will have to keep using the PAT. - name: Checkout Airbyte - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: ${{ steps.job-vars.outputs.repo }} ref: ${{ steps.job-vars.outputs.branch }} @@ -61,7 +61,7 @@ jobs: # If comment-id is not provided, this will create a new # comment with the job run link. id: first-comment-action - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.pr }} @@ -73,19 +73,19 @@ jobs: # Compare the below to the `format_check.yml` workflow - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: "zulu" java-version: "21" - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" cache: "pip" check-latest: true update-environment: true - name: Run pre-commit - uses: pre-commit/action@v3.0.1 + uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 continue-on-error: true id: format-fix @@ -120,7 +120,7 @@ jobs: git push contributor HEAD:'${{ steps.job-vars.outputs.branch }}' - name: Append success comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: steps.git-diff.outputs.changes == 'true' with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} @@ -129,7 +129,7 @@ jobs: > ✅ Changes applied successfully. (${{ steps.commit-step.outputs.sha }}) - name: Append success comment (no-op) - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: steps.git-diff.outputs.changes != 'true' with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} @@ -138,7 +138,7 @@ jobs: > 🟦 Job completed successfully (no changes). - name: Append failure comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: failure() with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} diff --git a/.github/workflows/format_check.yml b/.github/workflows/format_check.yml index 70e2b1769f0..81385483f29 100644 --- a/.github/workflows/format_check.yml +++ b/.github/workflows/format_check.yml @@ -14,21 +14,21 @@ jobs: name: "Format Check" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: "zulu" java-version: "21" - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" cache: "pip" check-latest: true update-environment: true - name: Run Pre-Commit - uses: pre-commit/action@v3.0.1 + uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 id: format-check with: extra_args: --all-files @@ -49,7 +49,7 @@ jobs: always() && steps.format-check.outcome == 'failure' && github.ref == 'refs/heads/master' && github.event.pull_request.head.repo.fork == false - uses: slackapi/slack-github-action@v2.1.1 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: token: ${{ secrets.SLACK_BOT_TOKEN_AIRBYTE_TEAM }} method: chat.postMessage diff --git a/.github/workflows/gradle-dependency-diff.yml b/.github/workflows/gradle-dependency-diff.yml index bdffbc3ddf8..5f58863fb95 100644 --- a/.github/workflows/gradle-dependency-diff.yml +++ b/.github/workflows/gradle-dependency-diff.yml @@ -10,11 +10,11 @@ jobs: if: github.event.pull_request.head.repo.fork == false steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Set up Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: temurin java-version: 21 - name: Run Gradle Dependency Diff - uses: be-hase/gradle-dependency-diff-action@v2 + uses: be-hase/gradle-dependency-diff-action@c6832aa3ca2594b7f25136bad88155f483d1fa04 # v2.0.0 diff --git a/.github/workflows/internal-airbyte-ci-release.yml b/.github/workflows/internal-airbyte-ci-release.yml index 5edea03eb17..fcc2b257ec6 100644 --- a/.github/workflows/internal-airbyte-ci-release.yml +++ b/.github/workflows/internal-airbyte-ci-release.yml @@ -26,17 +26,17 @@ jobs: steps: - name: Checkout Airbyte id: checkout_airbyte - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: ${{ github.sha }} # This is required to make sure that the same commit is checked out on all runners - name: Get short SHA id: get_short_sha - uses: benjlevesque/short-sha@v2.2 + uses: benjlevesque/short-sha@36eb8c530990ceac5ddf3c0bc32d02c677ae9706 # v2.2 - name: Install Python id: install_python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.11" check-latest: true @@ -44,7 +44,7 @@ jobs: - name: Install Poetry id: install_poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: 1.8.5 @@ -58,21 +58,21 @@ jobs: working-directory: airbyte-ci/connectors/pipelines/ run: poetry run poe build-release-binary ${{ env.BINARY_FILE_NAME }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: airbyte-ci-${{ matrix.os }}-${{ steps.get_short_sha.outputs.sha }} path: airbyte-ci/connectors/pipelines/dist/${{ env.BINARY_FILE_NAME }} - name: Authenticate to Google Cloud Dev id: auth_dev - uses: google-github-actions/auth@v1 + uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1.3.0 with: credentials_json: "${{ secrets.METADATA_SERVICE_DEV_GCS_CREDENTIALS }}" - name: Upload pre-release to GCS dev bucket id: upload_pre_release_to_gcs if: github.ref != 'refs/heads/master' - uses: google-github-actions/upload-cloud-storage@v1 + uses: google-github-actions/upload-cloud-storage@e95a15f226403ed658d3e65f40205649f342ba2c # v1.0.3 with: path: airbyte-ci/connectors/pipelines/dist/${{ env.BINARY_FILE_NAME }} destination: ${{ env.DEV_GCS_BUCKET_NAME }}/airbyte-ci/releases/${{ matrix.os }}/${{ steps.get_short_sha.outputs.sha }} @@ -95,14 +95,14 @@ jobs: - name: Authenticate to Google Cloud Prod id: auth_prod - uses: google-github-actions/auth@v1 + uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1.3.0 with: credentials_json: "${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}" - name: Upload version release to GCS prod bucket id: upload_version_release_to_gcs if: github.ref == 'refs/heads/master' - uses: google-github-actions/upload-cloud-storage@v1 + uses: google-github-actions/upload-cloud-storage@e95a15f226403ed658d3e65f40205649f342ba2c # v1.0.3 with: path: airbyte-ci/connectors/pipelines/dist/${{ env.BINARY_FILE_NAME }} destination: ${{ env.PROD_GCS_BUCKET_NAME }}/airbyte-ci/releases/${{ matrix.os }}/${{ steps.set_version.outputs.version }} @@ -118,7 +118,7 @@ jobs: - name: Upload latest release to GCS prod bucket id: upload_latest_release_to_gcs if: github.ref == 'refs/heads/master' - uses: google-github-actions/upload-cloud-storage@v1 + uses: google-github-actions/upload-cloud-storage@e95a15f226403ed658d3e65f40205649f342ba2c # v1.0.3 with: path: airbyte-ci/connectors/pipelines/dist/${{ env.BINARY_FILE_NAME }} destination: ${{ env.PROD_GCS_BUCKET_NAME }}/airbyte-ci/releases/${{ matrix.os }}/latest diff --git a/.github/workflows/internal-airbyte-ci-tests.yml b/.github/workflows/internal-airbyte-ci-tests.yml index dcad7d35ba0..e0329e0892a 100644 --- a/.github/workflows/internal-airbyte-ci-tests.yml +++ b/.github/workflows/internal-airbyte-ci-tests.yml @@ -25,9 +25,9 @@ jobs: steps: - name: Checkout Airbyte if: github.event_name != 'pull_request' - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - id: changes - uses: dorny/paths-filter@v2 + uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 with: # Note: expressions within a filter are OR'ed filters: | @@ -54,12 +54,12 @@ jobs: statuses: write steps: - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref }} - name: Checkout Airbyte Python CDK - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: repository: airbytehq/airbyte-python-cdk ref: main @@ -93,7 +93,7 @@ jobs: run: echo "commit_id=$(git rev-parse origin/${{ steps.extract_branch.outputs.branch }})" >> $GITHUB_OUTPUT - name: Authenticate as GitHub App - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 id: get-app-token with: owner: "airbytehq" diff --git a/.github/workflows/java-bulk-cdk-publish.yml b/.github/workflows/java-bulk-cdk-publish.yml index 219f45e1640..847417c853d 100644 --- a/.github/workflows/java-bulk-cdk-publish.yml +++ b/.github/workflows/java-bulk-cdk-publish.yml @@ -30,23 +30,23 @@ jobs: timeout-minutes: 30 steps: - name: Checkout Airbyte - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: "zulu" java-version: "21" - name: Docker login # Some tests use testcontainers which pull images from DockerHub. - uses: docker/login-action@v1 + uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1.14.1 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} - name: Error if CDK Version Exists - uses: burrunan/gradle-cache-action@v1 + uses: burrunan/gradle-cache-action@3bf23b8dd95e7d2bacf2470132454fe893a178a1 # v1 env: CI: true with: @@ -56,7 +56,7 @@ jobs: arguments: --scan :airbyte-cdk:bulk:checkBuildNumber - name: Build Bulk CDK - uses: burrunan/gradle-cache-action@v1 + uses: burrunan/gradle-cache-action@3bf23b8dd95e7d2bacf2470132454fe893a178a1 # v1 env: CI: true with: @@ -66,7 +66,7 @@ jobs: arguments: --scan :airbyte-cdk:bulk:bulkCdkBuild - name: Publish Poms and Jars to CloudRepo - uses: burrunan/gradle-cache-action@v1 + uses: burrunan/gradle-cache-action@3bf23b8dd95e7d2bacf2470132454fe893a178a1 # v1 env: CI: true CLOUDREPO_USER: ${{ secrets.CLOUDREPO_USER }} @@ -81,7 +81,7 @@ jobs: - name: Post failure to Slack channel if: ${{ env.DRY_RUN == 'false' && failure() }} - uses: slackapi/slack-github-action@v1.23.0 + uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 continue-on-error: true with: channel-id: C07K1P3UL6Q # The `#dev-java-cdk-releases` channel @@ -110,7 +110,7 @@ jobs: - name: Post success to Slack channel if: ${{ env.DRY_RUN == 'false' && !failure() }} - uses: slackapi/slack-github-action@v1.23.0 + uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 continue-on-error: true with: channel-id: C07K1P3UL6Q # The `#dev-java-cdk-releases` channel diff --git a/.github/workflows/java-cdk-tests.yml b/.github/workflows/java-cdk-tests.yml index 8232f9cee11..e95c7c8b6f3 100644 --- a/.github/workflows/java-cdk-tests.yml +++ b/.github/workflows/java-cdk-tests.yml @@ -29,9 +29,9 @@ jobs: steps: - name: Checkout Airbyte if: github.event_name != 'pull_request' - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - id: changes - uses: dorny/paths-filter@v2 + uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 with: filters: | java: @@ -47,9 +47,9 @@ jobs: steps: - name: Checkout Airbyte if: github.event_name != 'pull_request' - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - id: changes-in-bulk - uses: dorny/paths-filter@v2 + uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 with: filters: | java: @@ -64,15 +64,15 @@ jobs: timeout-minutes: 60 steps: - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Java Setup - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: "zulu" java-version: "21" # Help CDK Devs understand CDK version should be incremented on changes. - name: Check that bulk CDK version is incremented - uses: burrunan/gradle-cache-action@v1 + uses: burrunan/gradle-cache-action@3bf23b8dd95e7d2bacf2470132454fe893a178a1 # v1 env: CI: true with: @@ -94,14 +94,14 @@ jobs: timeout-minutes: 60 steps: - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Java Setup - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: "zulu" java-version: "21" - name: Run Java CDK Tests - uses: burrunan/gradle-cache-action@v3 + uses: burrunan/gradle-cache-action@663fbad34e03c8f12b27f4999ac46e3d90f87eca # v3.0.1 env: CI: true with: diff --git a/.github/workflows/jvm-connector-pr-structure.yml b/.github/workflows/jvm-connector-pr-structure.yml index 8e868aad7b9..dd6ff0e0b91 100644 --- a/.github/workflows/jvm-connector-pr-structure.yml +++ b/.github/workflows/jvm-connector-pr-structure.yml @@ -10,12 +10,12 @@ jobs: if: github.base_ref == 'master' && github.repository == 'airbytehq/airbyte' steps: - name: Check for changes in bulk CDK - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 id: cdk-changes with: files: "airbyte-cdk/bulk/**/*" - name: Check for changes in connectors - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 id: connector-changes with: files: "airbyte-integrations/connectors/**/*" diff --git a/.github/workflows/label-github-issues-by-context.yml b/.github/workflows/label-github-issues-by-context.yml index c37266102e7..ec65d4ac4bd 100644 --- a/.github/workflows/label-github-issues-by-context.yml +++ b/.github/workflows/label-github-issues-by-context.yml @@ -13,7 +13,7 @@ jobs: # so we should consider moving off of this specialized action and onto a normal # action step. - name: Run Issue Command from workflow-actions - uses: nick-fields/private-action-loader@v3 + uses: nick-fields/private-action-loader@6fa713597d3de3707f8b7a3029a5c262f32c5bca # v3.0.12 with: pal-repo-token: "${{ secrets.GH_PAT_MAINTENANCE_OCTAVIA }}" pal-repo-name: airbytehq/workflow-actions@production diff --git a/.github/workflows/label-prs-by-context.yml b/.github/workflows/label-prs-by-context.yml index c1893a2eafa..f9851bf7d77 100644 --- a/.github/workflows/label-prs-by-context.yml +++ b/.github/workflows/label-prs-by-context.yml @@ -15,7 +15,7 @@ jobs: # so we should consider moving off of this specialized action onto a normal # action step. - name: Run Issue Command from workflow-actions - uses: nick-fields/private-action-loader@v3 + uses: nick-fields/private-action-loader@6fa713597d3de3707f8b7a3029a5c262f32c5bca # v3.0.12 with: pal-repo-token: "${{ secrets.GH_PAT_MAINTENANCE_OCTAVIA }}" pal-repo-name: airbytehq/workflow-actions@production diff --git a/.github/workflows/live_tests.yml b/.github/workflows/live_tests.yml index 810c0284bb3..4bfc0c77f08 100644 --- a/.github/workflows/live_tests.yml +++ b/.github/workflows/live_tests.yml @@ -52,7 +52,7 @@ jobs: timeout-minutes: 360 # 6 hours steps: - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Extract branch name [WORKFLOW DISPATCH] shell: bash if: github.event_name == 'workflow_dispatch' @@ -61,7 +61,7 @@ jobs: - name: Install Poetry id: install_poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: 1.8.5 diff --git a/.github/workflows/metadata_service_deploy_orchestrator_dagger.yml b/.github/workflows/metadata_service_deploy_orchestrator_dagger.yml index 49708341654..1ea0253b90d 100644 --- a/.github/workflows/metadata_service_deploy_orchestrator_dagger.yml +++ b/.github/workflows/metadata_service_deploy_orchestrator_dagger.yml @@ -17,7 +17,7 @@ jobs: runs-on: tooling-publish-medium steps: - name: Checkout Airbyte - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Deploy the metadata orchestrator [On merge to master] id: metadata-orchestrator-deploy-orchestrator-pipeline-prod if: github.event_name == 'push' diff --git a/.github/workflows/poe-command.yml b/.github/workflows/poe-command.yml index f845afde260..680c806d18d 100644 --- a/.github/workflows/poe-command.yml +++ b/.github/workflows/poe-command.yml @@ -43,7 +43,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Authenticate as GitHub App - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 id: get-app-token with: owner: "airbytehq" @@ -51,7 +51,7 @@ jobs: app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }} private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }} - name: Run Poe Slash Command Processor - uses: aaronsteers/poe-command-processor@v1 + uses: aaronsteers/poe-command-processor@04330aa7047b6b182ff280a962cbbcd99d6eb683 # v1.3.0 with: pr: ${{ github.event.inputs.pr }} comment-id: ${{ github.event.inputs.comment-id }} diff --git a/.github/workflows/publish-java-cdk-command.yml b/.github/workflows/publish-java-cdk-command.yml index f94dafd1243..7c8fab8a9aa 100644 --- a/.github/workflows/publish-java-cdk-command.yml +++ b/.github/workflows/publish-java-cdk-command.yml @@ -82,14 +82,14 @@ jobs: steps: - name: Link comment to Workflow Run if: github.event.inputs.comment-id - uses: peter-evans/create-or-update-comment@v1 + uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5 with: comment-id: ${{ github.event.inputs.comment-id }} body: | > :clock2: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}} - name: Checkout Airbyte - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: ${{ env.GITREF }} @@ -107,20 +107,20 @@ jobs: echo "CDK_VERSION=${cdk_version}" >> $GITHUB_ENV - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: "zulu" java-version: "21" - name: Docker login # Some tests use testcontainers which pull images from DockerHub. - uses: docker/login-action@v1 + uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1.14.1 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} - name: Build Java CDK - uses: burrunan/gradle-cache-action@v1 + uses: burrunan/gradle-cache-action@3bf23b8dd95e7d2bacf2470132454fe893a178a1 # v1 env: CI: true with: @@ -133,7 +133,7 @@ jobs: - name: Check for Existing Version # we only check existing version if it's a manual trigger and FORCE is set to false if: ${{ (env.FORCE != 'true') }} - uses: burrunan/gradle-cache-action@v1 + uses: burrunan/gradle-cache-action@3bf23b8dd95e7d2bacf2470132454fe893a178a1 # v1 env: CI: true with: @@ -145,7 +145,7 @@ jobs: - name: Publish Poms and Jars to CloudRepo if: ${{ env.DRY_RUN == 'false' }} - uses: burrunan/gradle-cache-action@v1 + uses: burrunan/gradle-cache-action@3bf23b8dd95e7d2bacf2470132454fe893a178a1 # v1 env: CI: true CLOUDREPO_USER: ${{ secrets.CLOUDREPO_USER }} @@ -160,7 +160,7 @@ jobs: - name: Add Success Comment if: github.event.inputs.comment-id && success() - uses: peter-evans/create-or-update-comment@v1 + uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5 with: comment-id: ${{ github.event.inputs.comment-id }} edit-mode: append @@ -169,7 +169,7 @@ jobs: - name: Add Failure Comment if: github.event.inputs.comment-id && failure() - uses: peter-evans/create-or-update-comment@v1 + uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5 with: comment-id: ${{ github.event.inputs.comment-id }} edit-mode: append @@ -178,7 +178,7 @@ jobs: - name: "Post failure to Slack channel" if: ${{ env.DRY_RUN == 'false' && failure() }} - uses: slackapi/slack-github-action@v1.23.0 + uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 continue-on-error: true with: channel-id: C07K1P3UL6Q # The `#dev-java-cdk-releases` channel @@ -207,7 +207,7 @@ jobs: - name: "Post success to Slack channel" if: ${{ env.DRY_RUN == 'false' && !failure() }} - uses: slackapi/slack-github-action@v1.23.0 + uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 continue-on-error: true with: channel-id: C07K1P3UL6Q # The `#dev-java-cdk-releases` channel diff --git a/.github/workflows/publish_connectors.yml b/.github/workflows/publish_connectors.yml index 48f05f4343e..a8138c77822 100644 --- a/.github/workflows/publish_connectors.yml +++ b/.github/workflows/publish_connectors.yml @@ -113,14 +113,14 @@ jobs: shell: bash run: docker buildx create --use --driver=docker-container --name builder --platform linux/amd64,linux/arm64 - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: zulu java-version: 21 cache: gradle - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} @@ -142,7 +142,7 @@ jobs: version: 1.8.5 - name: Install the latest version of uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install Poe run: | @@ -276,7 +276,7 @@ jobs: run: poetry install --directory airbyte-ci/connectors/metadata_service/lib - name: Install the latest version of uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install Poe run: | @@ -358,7 +358,7 @@ jobs: GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Send publish failures to connector-publish-failures channel id: slack - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 with: # This data can be any valid JSON from a previous step in the GitHub Action payload: | diff --git a/.github/workflows/regression_tests.yml b/.github/workflows/regression_tests.yml index deceb45c8e4..3b3c3a37487 100644 --- a/.github/workflows/regression_tests.yml +++ b/.github/workflows/regression_tests.yml @@ -55,14 +55,14 @@ jobs: steps: - name: Install Python id: install_python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.11" check-latest: true update-environment: true - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Extract branch name [WORKFLOW DISPATCH] shell: bash if: github.event_name == 'workflow_dispatch' @@ -71,7 +71,7 @@ jobs: - name: Install Poetry id: install_poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: 1.8.5 diff --git a/.github/workflows/run-cat-tests-command.yml b/.github/workflows/run-cat-tests-command.yml index 1834c11b5f7..6aa1827fe28 100644 --- a/.github/workflows/run-cat-tests-command.yml +++ b/.github/workflows/run-cat-tests-command.yml @@ -49,7 +49,7 @@ jobs: # If comment-id is not provided, this will create a new # comment with the job run link. id: first-comment-action - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.pr }} @@ -62,7 +62,7 @@ jobs: > - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: repository: ${{ steps.job-vars.outputs.repo }} ref: ${{ steps.job-vars.outputs.branch }} @@ -91,7 +91,7 @@ jobs: subcommand: "connectors --modified test --only-step=acceptance" - name: Append completion comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: always() with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} diff --git a/.github/workflows/run-connector-tests-command.yml b/.github/workflows/run-connector-tests-command.yml index 1097d9d4e40..d763ac3fd40 100644 --- a/.github/workflows/run-connector-tests-command.yml +++ b/.github/workflows/run-connector-tests-command.yml @@ -52,7 +52,7 @@ jobs: steps: - name: Append start comment id: post-start-comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ inputs.comment-id }} issue-number: ${{ inputs.pr }} @@ -95,7 +95,7 @@ jobs: steps: - name: Append success comment if: needs.call-connector-ci-tests.outputs.result == 'success' - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ needs.post-start-comment.outputs.comment-id }} issue-number: ${{ inputs.pr }} @@ -104,7 +104,7 @@ jobs: - name: Append failure comment if: needs.call-connector-ci-tests.outputs.result != 'success' - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ needs.post-start-comment.outputs.comment-id }} issue-number: ${{ inputs.pr }} diff --git a/.github/workflows/slash-commands.yml b/.github/workflows/slash-commands.yml index 53de3a6d614..1cfd959cfb6 100644 --- a/.github/workflows/slash-commands.yml +++ b/.github/workflows/slash-commands.yml @@ -17,7 +17,7 @@ jobs: echo repo="$(echo $pr_info | jq -r '.head.repo.full_name')" >> $GITHUB_OUTPUT - name: Authenticate as GitHub App - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 id: get-app-token with: owner: "airbytehq" @@ -27,7 +27,7 @@ jobs: - name: Slash Command Dispatch (Workflow) id: scd - uses: peter-evans/slash-command-dispatch@v3 + uses: peter-evans/slash-command-dispatch@f996d7b7aae9059759ac55e978cff76d91853301 # v3.0.2 with: token: ${{ steps.get-app-token.outputs.token }} permission: write @@ -62,7 +62,7 @@ jobs: - name: Edit comment with error message if: steps.scd.outputs.error-message - uses: peter-evans/create-or-update-comment@v1 + uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5 with: comment-id: ${{ github.event.comment.id }} body: | diff --git a/.github/workflows/stale-community-issues.yaml b/.github/workflows/stale-community-issues.yaml index 2b1611375e4..2f1f95d07ee 100644 --- a/.github/workflows/stale-community-issues.yaml +++ b/.github/workflows/stale-community-issues.yaml @@ -10,14 +10,14 @@ jobs: issues: write steps: - name: Authenticate as GitHub App - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 id: get-app-token with: owner: "airbytehq" repositories: "airbyte" app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }} private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }} - - uses: actions/stale@v5 + - uses: actions/stale@f7176fd3007623b69d27091f9b9d4ab7995f0a06 # v5.2.1 with: any-of-labels: "community" exempt-issue-labels: "frozen" diff --git a/.github/workflows/stale-routed-issues.yaml b/.github/workflows/stale-routed-issues.yaml index 019f3bc3e0e..0d3201cf4ab 100644 --- a/.github/workflows/stale-routed-issues.yaml +++ b/.github/workflows/stale-routed-issues.yaml @@ -11,14 +11,14 @@ jobs: pull-requests: write steps: - name: Authenticate as GitHub App - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 id: get-app-token with: owner: "airbytehq" repositories: "airbyte" app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }} private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }} - - uses: actions/stale@v5 + - uses: actions/stale@f7176fd3007623b69d27091f9b9d4ab7995f0a06 # v5.2.1 with: any-of-labels: "frozen" days-before-issue-stale: 365 diff --git a/.github/workflows/test-performance-command.yml b/.github/workflows/test-performance-command.yml index 1c5f66e99ca..9f4c9c2ecbc 100644 --- a/.github/workflows/test-performance-command.yml +++ b/.github/workflows/test-performance-command.yml @@ -39,7 +39,7 @@ jobs: ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} steps: - name: Checkout Airbyte - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: ${{ github.event.inputs.repo }} ref: ${{ github.event.inputs.gitref }} @@ -64,7 +64,7 @@ jobs: steps: - name: Search for valid connector name format id: regex - uses: AsasInnab/regex-action@v1 + uses: AsasInnab/regex-action@93439ac11aa6a032a673c8711231d8cef044daaa # v1 with: regex_pattern: "^((connectors|bases)/)?[a-zA-Z0-9-_]+$" regex_flags: "i" # required to be set for this plugin @@ -74,23 +74,23 @@ jobs: run: echo "The connector provided has an invalid format!" && exit 1 - name: Link comment to workflow run if: github.event.inputs.comment-id - uses: peter-evans/create-or-update-comment@v1 + uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5 with: comment-id: ${{ github.event.inputs.comment-id }} body: | > :clock2: ${{github.event.inputs.connector}} https://github.com/${{github.repository}}/actions/runs/${{github.run_id}} - name: Checkout Airbyte - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: ${{ github.event.inputs.repo }} ref: ${{ github.event.inputs.gitref }} - name: Install Java - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: "zulu" java-version: "21" - name: Install Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.11" check-latest: true @@ -133,7 +133,7 @@ jobs: GCP_GSM_CREDENTIALS: ${{ secrets.GCP_GSM_CREDENTIALS }} - name: Archive test reports artifacts if: github.event.inputs.comment-id && failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: test-reports path: | @@ -147,7 +147,7 @@ jobs: - name: Test coverage reports artifacts if: github.event.inputs.comment-id && success() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: test-reports path: | @@ -155,7 +155,7 @@ jobs: retention-days: 3 - name: Add Success Comment if: github.event.inputs.comment-id && success() - uses: peter-evans/create-or-update-comment@v1 + uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5 with: comment-id: ${{ github.event.inputs.comment-id }} body: | @@ -163,7 +163,7 @@ jobs: ${{env.PYTHON_UNITTEST_COVERAGE_REPORT}} - name: Add Failure Comment if: github.event.inputs.comment-id && failure() - uses: peter-evans/create-or-update-comment@v1 + uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5 with: comment-id: ${{ github.event.inputs.comment-id }} body: | @@ -180,20 +180,20 @@ jobs: if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: aws-access-key-id: ${{ secrets.SELF_RUNNER_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.SELF_RUNNER_AWS_SECRET_ACCESS_KEY }} aws-region: us-east-2 - name: Checkout Airbyte - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Check PAT rate limits run: | ./tools/bin/find_non_rate_limited_PAT \ ${{ secrets.GH_PAT_BUILD_RUNNER_OSS }} \ ${{ secrets.GH_PAT_BUILD_RUNNER_BACKUP }} - name: Stop EC2 runner - uses: supertopher/ec2-github-runner@base64v1.0.10 + uses: supertopher/ec2-github-runner@0a62b16b7a86a45725a1755884f8cee7a5068ad8 # base64v1.0.10 with: mode: stop github-token: ${{ env.PAT }} diff --git a/.github/workflows/update-connector-cdk-version-command.yml b/.github/workflows/update-connector-cdk-version-command.yml index f6f01e0d427..f214b8e26a5 100644 --- a/.github/workflows/update-connector-cdk-version-command.yml +++ b/.github/workflows/update-connector-cdk-version-command.yml @@ -36,7 +36,7 @@ jobs: - name: Append comment with job run link id: first-comment-action - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.pr }} @@ -44,7 +44,7 @@ jobs: > Update CDK version job started for `${{ github.event.inputs.connector }}`. Check the [job logs](${{ steps.resolve-job-vars.outputs.run-url }}) for details. - name: Checkout Airbyte - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: submodules: true # Needed for airbyte-enterprise connectors (no-op otherwise) @@ -71,13 +71,13 @@ jobs: fi - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: "zulu" java-version: "21" - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4 - name: Run CDK upgrade run: ./gradlew ":airbyte-integrations:connectors:${{ github.event.inputs.connector }}:upgradeCdk" @@ -98,7 +98,7 @@ jobs: git push - name: Append success comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: steps.git-diff.outputs.changes == 'true' with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} @@ -107,7 +107,7 @@ jobs: > ✅ Successfully updated CDK version for `${{ github.event.inputs.connector }}`. - name: Append success comment (no-op) - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: steps.git-diff.outputs.changes != 'true' with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} @@ -116,7 +116,7 @@ jobs: > ✅ CDK version for `${{ github.event.inputs.connector }}` was already up to date (no changes made). - name: Append validation failure comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: failure() && steps.validate-connector.outputs.error with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} @@ -125,7 +125,7 @@ jobs: > 🔴 **Validation Error**: ${{ steps.validate-connector.outputs.error }} - name: Append failure comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: failure() && !steps.validate-connector.outputs.error with: comment-id: ${{ steps.first-comment-action.outputs.comment-id }} diff --git a/.github/workflows/upload-metadata-files.yml b/.github/workflows/upload-metadata-files.yml index 38b83d4c0db..fb60b23e821 100644 --- a/.github/workflows/upload-metadata-files.yml +++ b/.github/workflows/upload-metadata-files.yml @@ -9,15 +9,15 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout Airbyte Cloud - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v44 + uses: tj-actions/changed-files@2d756ea4c53f7f6b397767d8723b3a10a9f35bf2 # v44.0.0 with: files: "airbyte-integrations/connectors/**/metadata.yaml" - name: Setup Python 3.10 if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.11" check-latest: true @@ -37,7 +37,7 @@ jobs: done - name: Slack Notification - Failure if: failure() - uses: rtCamp/action-slack-notify@master + uses: rtCamp/action-slack-notify@07cbdbfd6c6190970778d8f98f11d073b2932aae # master env: SLACK_WEBHOOK: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }} SLACK_USERNAME: Metadata Service diff --git a/.github/workflows/welcome-message.yml b/.github/workflows/welcome-message.yml index 85fce6cd11b..52dcb64be7d 100644 --- a/.github/workflows/welcome-message.yml +++ b/.github/workflows/welcome-message.yml @@ -28,11 +28,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Render template id: template - uses: chuhlomin/render-template@v1.4 + uses: chuhlomin/render-template@f828bb5c72a3e3af89cb79808cea490166c6f1ce # v1.4 with: # Use a different template for internal vs forks (community) template: ${{ github.event.pull_request.head.repo.fork == true && '.github/pr-welcome-community.md' || '.github/pr-welcome-internal.md' }} @@ -40,7 +40,7 @@ jobs: repo_name: ${{ github.event.pull_request.head.repo.full_name }} - name: Create comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: issue-number: ${{ github.event.pull_request.number }} body: ${{ steps.template.outputs.result }}